WebApp Sec mailing list archives
Re: Why doesn't Amazon enforce a password policy?
From: "Jamie Riden" <jamesr () europe com>
Date: Sat, 28 Oct 2006 18:11:44 +1300
On 25/10/06, James Strassburg <JStrassburg () directs com> wrote:
There is a small war going on where I work. I am trying to get a password policy enforced for our web applications and certain business leaders are opposing it. There are two areas of opposition: 1. Minimum password length of 6 (currently 4, 6 was going to be a compromise). 2. Expiration of passwords (currently none). Strength requirements on the password content seems to be ok with them. These leaders compare our business with Amazon (a bit of a reach but we go with it for argument's sake) and their main argument for not enforcing a minimum password length and password expiration is that Amazon doesn't do it.
If you're losing more revenue by putting customers off with your password policy, than you make by enforcing one it's not 'worth' doing. At least, if you think about it purely in terms of ROI, but that is how some people think about it. Now, I doubt Amazon lose many sales because people are concerned about their lack of a password policy - the canny ones will use a decent password anyway, and the rest don't mind. But if you make the customer's life difficult, some will give up on the site. (I'm not saying you shouldn't enforce a password policy despite this - I would push it, but then I'm not an accountant.) Can't you make the strength requirements 'at least n bits of entropy'? That should make up for not having a length requirement, and that's all the minimum length is meant to achieve anyway. And make sure you do the ROI calculations for *your* business model and don't let them get away with the 'we're nearly Amazon, we'll do what they do' thing. cheers, Jamie -- Jamie Riden, CISSP / jamesr () europe com / jamie.riden () gmail com NZ Honeynet project - http://www.nz-honeynet.org/ ------------------------------------------------------------------------- Sponsored by: WatchfireAppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE --------------------------------------------------------------------------
Current thread:
- Why doesn't Amazon enforce a password policy? James Strassburg (Oct 27)
- Re: Why doesn't Amazon enforce a password policy? Peter Conrad (Oct 30)
- Re: Why doesn't Amazon enforce a password policy? Tom Whiting (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jamie Riden (Nov 01)
- <Possible follow-ups>
- RE: Why doesn't Amazon enforce a password policy? James Strassburg (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Brooks, Shane (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Jason Gregson (Nov 01)